https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305601#M91723 <P>This is an option,<BR /> but I'd like to get a tabular output, like</P> <P>incident duration AppID Weekly_Inc_duration</P> <P>in order to have the chance afterwards to append some further column and import this search as DataSet for further processing.</P> <P>Tks!<BR /> Carmine</P> Tue, 29 Sep 2020 17:38:55 GMT CarmineCalo 2020-09-29T17:38:55Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305599#M91721 <P>Splunkers!<BR /> Need your help...</P> <P>I created a search piping the following fields (simplified)</P> <P>_time AppID Incident_duration</P> <P>I have to group incidents duration by week, running a timechart, at AppID level:</P> <P>| timechart span=1w values(AppID) as AppID, sum(incident_duration) as Weekly_Inc_duration</P> <P>Unfortunately, returned AppID field is a multivaluefield (whenever in the same week there are multiple AppID with an incident event) and in this case Weekly_Inc_duration is the sum of the duration for all those AppIDs.<BR /> I'd like to get as output the sum at AppID level.</P> <P>Can you help me?</P> <P>Tks!<BR /> CArmine</P> Tue, 29 Sep 2020 17:38:52 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305599#M91721 CarmineCalo 2020-09-29T17:38:52Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305600#M91722 <P>Do you mean like:</P> <PRE><CODE>| timechart span=1w sum(incident_duration) as Weekly_Inc_duration BY AppID </CODE></PRE> Sat, 13 Jan 2018 23:02:02 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305600#M91722 micahkemp 2018-01-13T23:02:02Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305601#M91723 <P>This is an option,<BR /> but I'd like to get a tabular output, like</P> <P>incident duration AppID Weekly_Inc_duration</P> <P>in order to have the chance afterwards to append some further column and import this search as DataSet for further processing.</P> <P>Tks!<BR /> Carmine</P> Tue, 29 Sep 2020 17:38:55 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305601#M91723 CarmineCalo 2020-09-29T17:38:55Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305602#M91724 <P>Probably i found the solution<BR /> Timechart was the wrong way to create the dataset i was looking for.</P> <P>I add within the search the calculation of fa field, dateweek_year, extracting Year+Week from _time<BR /> Than i simply run the stats command, in this way</P> <P>| stats sum(incident_unavailability) as Unavailability by dateweek_year, CI</P> <P>It seems to work <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Sep 2020 17:38:58 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305602#M91724 CarmineCalo 2020-09-29T17:38:58Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305603#M91725 <P>hey</P> <P>looking at your comments section you can try</P> <PRE><CODE>| eval dateyearweek=strftime(_time,"%Y-%U") | stats sum(incident_duration) as Weekly_Inc_duration BY AppID dateyearweek </CODE></PRE> <P>Depending of your country, you have 2 variations :</P> <P>%U is replaced by the week number of the year (Sunday as the first day of the week) as a decimal number [00,53].</P> <P>%V is replaced by the week number of the year (Monday as the first day of the week) as a decimal number [01,53]. If the week containing 1 January has four or more days in the new year, then it is considered week 1. Otherwise, it is the last week of the previous year, and the next week is week 1.</P> <P>Let me know if this helps!</P> Sun, 14 Jan 2018 08:45:06 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-sum-at-single-value-level/m-p/305603#M91725 mayurr98 2018-01-14T08:45:06Z